Allow or Deny and order of evaluation
Each ACE has one access type: either Allow or Deny.
| ACE source and type | Display |
|---|---|
| Direct/Default Deny | Deny is selected and is editable. |
| Direct/Default Allow | Allow is selected and is editable. |
| Template Deny | Deny is selected and is not editable. |
| Template Allow | Allow is selected and is not editable. |
| Inherited Deny | Deny is selected and is not editable. |
| Inherited Allow | Allow is selected and is not editable. |
You cannot remove or change an inherited access right, but you can override one by directly allowing or denying an access right. To edit an inherited access right, the administrator must modify the parent that is the source of the inherited access right.
Because Deny has precedence over Allow within each category (for example, a Template Deny takes precedence over a Template Allow), if you explicitly deny an access right to a group and explicitly allow it to a member of that group, the access right will be denied to the member.
Thus, if an ACL contained two ACEs that were identical in every respect except that one was an Inherited Deny and the other a Direct Allow, the Direct Allow would take precedence, with the result that the user would be allowed the ACE.